arch/x86_64: Add ARCH_INTEL64_DISABLE_CET

Intel CET (Control-flow Enforcement Technology) is a hardware enhancement aimed at mitigating the Retpoline vulnerability, but it may impact CPU branch prediction performance. This commit added ARCH_INTEL64_DISABLE_CET, which can disable CET completely with compilation option `-fcf-protection=none`. Signed-off-by: ouyangxiangzhen <ouyangxiangzhen@xiaomi.com>
2024-06-20 20:03:41 +08:00 · 2024-06-20 20:03:41 +08:00 · cb7894d644
commit cb7894d644
parent 126221df97
2 changed files with 13 additions and 0 deletions
--- a/arch/x86_64/src/common/Toolchain.defs
+++ b/arch/x86_64/src/common/Toolchain.defs
@ -32,6 +32,10 @@ ARCHCPUFLAGS = -fPIC -fno-stack-protector -mno-red-zone -mrdrnd
 ARCHPICFLAGS = -fPIC
 ARCHWARNINGS = -Wall -Wstrict-prototypes -Wshadow -Wundef

+ifeq ($(CONFIG_ARCH_INTEL64_DISABLE_CET),y)
+  ARCHOPTIMIZATION += -fcf-protection=none
+endif
+
 # We have to use a cross-development toolchain under Cygwin because the native
 # Cygwin toolchains don't generate ELF binaries.

--- a/arch/x86_64/src/intel64/Kconfig
+++ b/arch/x86_64/src/intel64/Kconfig
@ -195,4 +195,13 @@ config ARCH_INTEL64_DISABLE_INT_INIT
 		controllers. This is necessary if those are already
 		initialized, i.e. Jailhouse system.

+config ARCH_INTEL64_DISABLE_CET
+	bool "Disable CET completely"
+	---help---
+		Intel CET (Control-flow Enforcement Technology) is a hardware
+		enhancement aimed at mitigating the Retpoline vulnerability.
+		It inserts the endbr64 instruction at the beginning of functions,
+		which may impact CPU branch prediction performance.
+
+
 endif